External Authentication Injection

External Authentication Injection

Overview of the Vulnerability

Content spoofing is a common attack where plaintext or HTML content is injected into a web page that can be rendered in a client. Due to this injection vulnerability in the application, users are often socially engineered to perform an action due to the inherent trust they have in the business and its brand.

A successful external authentication injection can allow an attacker to social engineer users to navigate to another website and have them enter information, such as their user credentials.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Perform {{action}} and capture the request in the HTTP interception proxy

4. Insert {{payload}} in {{parameter}} and forward or replay the following request to the endpoint:

{{request}}

Proof of Concept (PoC)

The screenshot(s) below demonstrates the content spoofing:

{{screenshot}}

Recommendation(s)

There is no single technique to protect from content spoofing. However, the following best practices should be adhered to:

• Validate all input data, including that which is reflected by a request parameter

• Refrain from passing HTML data via request parameters. Properly encode the HTML before passing it through a request parameter if there is no other way.

• Refrain from displaying messages via request parameter. It is best practice to use temporary sessions instead.

For more information, please see:

• https://capec.mitre.org/data/definitions/148.html

• https://owasp.org/www-community/attacks/Content_Spoofing

• https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding